System and method for authentication of network users

ABSTRACT

A network authentication system provides verification of the identity or other attributes of a network user to conduct a transaction, access data or avail themselves of other resources. The user is presented with a hierarchy of queries based on wallet-type (basic identification) and non-wallet type (more private) information designed to ensure the identity of the user and prevent fraud, false negatives and other undesirable results. A preprocessing stage may be employed to ensure correct formatting of the input information and clean up routine mistakes (such as missing digits, typos, etc.) that might otherwise halt the transaction. Queries can be presented in interactive, batch processed or other format. The authenticator can be configured to require differing levels of input or award differing levels of authentication according to security criteria.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of application Ser. No. 09/1315,128,filed May 20, 1999 now U.S. Pat. No. 6,263,447, which claims priority toProvisional Application Serial No. 60/086,258 filed May 21, 1998.

This subject matter of this application is related to the subject matterof U.S. application Ser. No. 09/315,130, entitled “SYSTEM AND METHOD FORAUTHENTICATION OF NETWORK USERS WITH PREPROCESSING”, filed May 20, 1999,and U.S. application Ser. No. 09/315,129, entitled “SYSTEM AND METHODFOR AUTHENTICATION OF NETWORK USERS AND ISSUING A DIGITAL CERTIFICATE”,filed May 20, 1999, each having the same inventors and assigned to thesame assignee as this application.

FIELD OF THE INVENTION

The invention relates to electronic communications, and moreparticularly to authenticating the identity of network users.

BACKGROUND OF THE INVENTION

A variety of networks are used today. Computer networks include localarea networks (LANs), metropolitan area networks (MANs), wide areanetworks (WANs), intranets, the Internet and other types of networks.Communication networks include those for conventional telephone service,cellular networks of different varieties, paging services and others.Networks are used for many purposes, including to communicate, to accessdata and to execute transactions. For many reasons, including security,it is often necessary to confirm or authenticate the identity of a userbefore permitting access to data or a transaction to occur on thenetwork.

One known approach to computer network authentication is the use ofuser-specific passwords. Passwords provide some level of protection, butthey are not fail-safe. One reason passwords are vulnerable is thatusers often share them. Even if they are kept private, someone who wantsto obtain a password badly enough often can, using random generators,keyboard monitors or other techniques. Moreover, when dealing withunknown users such as people who want to conduct an electronictransaction over the Internet, ad hoc passwords are not practical.

Various non-password schemes exist that perform some level ofauthentication before authorizing transactions or permitting access todata. These systems generally require a user to provide a sampling ofbasic identification information such as name, date of birth, socialsecurity number, address, telephone number and driver's licenseinformation. This sort of information, sometimes known as wallet-typeinformation, is compared to known data such as a credit file todetermine how well the user's input matches that source.

For various reasons, one-level authentication schemes are not totallyreliable. In some instances, a user who provides accurate identificationinformation may not be authenticated. This may occur, for example,because the user enters a nickname or a contraction rather than a propername, and the authentication process does not check for a nickname orother variation. As a result, a user who should be entitled to accessinformation or perform a transaction can not. Other inconsistencies maytrigger a false negative, and often the false negative will terminatethe transaction without further processing or corrective querying.

In other instances, a user who supplies fraudulent information may beauthenticated. This may occur when lost or stolen wallet-typeinformation is entered by an unauthorized user. Other situations mayalso lead to a false positive result. Both false positives and falsenegatives are undesirable.

Other reasons for unwarranted summary rejection, and other drawbacks,exist.

SUMMARY OF THE INVENTION

An object of the invention is to overcome these and other drawbacks ofexisting authentication systems and methods.

Another object of the invention is to provide an authentication systemand method that perform a first level of authentication based on a firsttype of information and, based on the results of the first level ofauthentication, determine whether to perform at least a second level ofauthentication using another type of information.

Another object of the invention is to provide an authentication systemand method that determine whether to perform at least a second level ofauthentication depending on available information and the level ofcertainty desired.

Another object of the invention is to provide an authentication systemand method including an automatic interactive query feature.

Another object of the invention is to provide an authentication systemand method which preprocess information supplied by the user to check,for example, the standardization, format, validity and internalconsistency of that information before comparing it to known data.

Another object of the invention is to provide an authentication systemand method which are customizable.

Another object of the invention is to provide an authentication systemand method that access information from a variety of data sources.

Another object of the invention is to provide an authentication systemand method that allow selection of data sources used for comparison, andthe circumstances under which those comparisons are made.

Another object of the invention is to provide an authentication systemand method that generate a score indicating the confidence or certaintylevel of authentication.

Another object of the invention is to provide an authentication systemand method in which a minimum score or requirement may be set forparticular data fields or sources.

In an illustrative embodiment of the invention, a user who wishes toapply for an online transaction accesses a client/server network througha client terminal. The server side of the network includes anapplication server communicating with an authentication server. When theuser wishes to initiate the transaction or at other times, theauthentication server determines whether the user's identity can beconfirmed, and the level of authentication that may be accorded to theuser's identity based on rules specific to the vendor accepting thetransaction.

The transaction the user is applying for, such as an electronicbrokerage trade, is either carried out or not carried out or otheraction taken depending on the results of the authentication. The extentof authentication processing performed depends upon the nature of thetransaction and vendor-specific requirements. Once the authenticationprocess has been satisfied, the invention may generate a digitalcertificate recording authentication levels and other informationrelated to the user. The digital certificate can then be presented infuture transactions to avoid the need to reauthenticate the user foreach new transaction event.

For example, in the context of electronic commerce, lower risktransactions such as relatively small purchases may not require anextensive authentication process. On the other hand, more sensitive orgreater risk transactions such as large purchases or sensitive dataaccess may require a more thorough authentication process and a greaterlevel of certainty. A greater level of security could conceivably beattained by automatically performing a thorough authentication processfor every transaction. However, this approach incurs unnecessary costsor resources in cases where only a lower level of certainty is needed.

The invention avoids this drawback by enabling different levels ofauthentication to be performed based on the level of security desired,reducing costs and unnecessary use of system resources.

Generally in the invention, the user is authenticated according to theirability to respond to successive queries for personal information andthe level of match attained from comparing the information they providewith reliable data sources. The user is initially requested to provide afirst type of identification information. The first type of informationis preferably wallet-type information, that is, information such asname, address, driver's license or other information that may becommonly carried on the person. This information is transmitted to theauthentication server which carries out a first level authenticationprocess on that information.

That first level authentication process compares the degree of matchbetween the user-supplied first type of information and known data aboutthe user from other sources. At the completion of this first levelauthentication process, the authentication server may allow therequested access, allow the requested access with restriction, refuseaccess or proceed to another level of authentication.

Preferably, the second and any additional levels of authenticationrequest a second, non-wallet type of information from the user. Thesecond type of information is preferably based on comparatively privateinformation that only the user would know. For example, the second typeof information may include mortgage loan or other information obtainedfrom a credit report or another source. Such information is typicallynot carried with a person, and therefore the chances of fraud by someonewho obtains lost or stolen information and attempts to execute atransaction are reduced.

The private financial or other data elicited in the second levelauthentication process may be requested using an interactive query. Theinteractive query may include multiple choice questions that areautomatically generated based upon the information available in theknown data sources. For example, the authentication server may access acredit file to identify loans of the user which are still in paybackstatus. One or more loans may be selected and the lender's name andcorresponding monthly payment amount retrieved from the credit file.

The interactive query might ask the user for the lender's name orpayment amount on the identified loan and offer a number of choices foreach of the lender's name and the correct payment amount, only one ofwhich is correct. Depending upon the responses, the user's identity maybe authenticated fully, or to a greater or lower degree of certaintycompared with that based solely on the first level authenticationprocess.

The invention may include a preprocessing stage executed before first orsecond level authentication. The preprocessing stage filters or correctsrelatively minor mistakes in formatting and consistency in the user'sresponses, preserving the transaction for further processing andavoiding needless termination before the upper stages are reached.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart of an overall process for authenticating usersaccording to the invention.

FIG. 2 is a flowchart of an overall processing flow for authenticatingusers according to the invention in another aspect.

FIG. 3 is a flowchart of certain aspects of second level authenticationaccording to the invention.

FIG. 4 is a flowchart of a preprocessing process according to theinvention.

FIG. 5 is a flowchart depicting a format verification process accordingto the invention.

FIG. 6 is a flowchart depicting a standardization process according tothe invention.

FIG. 7 is a flowchart depicting a validity verification processaccording to the invention.

FIG. 8 is a flowchart depicting a consistency verification processaccording to the invention.

FIG. 9 illustrates an example of a verification matrix used in theinvention.

FIG. 10 illustrates an example of error codes that may be generatedaccording to the invention.

FIG. 11 illustrates an example of a preprocessing matrix used in theinvention.

FIG. 12 illustrates a block diagram of an overall system according tothe invention.

FIGS. 13-16 illustrate a transaction record generated according to theinvention.

FIGS. 17 and 18 illustrate pattern recognition criteria used by theinvention to detect irregularities.

FIG. 19 illustrates potential action taken by the invention upondetection of pattern recognition criteria.

FIG. 20 illustrates a scoring matrix for different types of accounts insecond level authentication according to the invention.

FIG. 21 illustrates a relative weighting of different types of queriesused in second level authentication according to the invention.

FIG. 22 illustrate a tiering of certainty scores into a set ofcategories according to the invention.

FIGS. 23-28 illustrate an assignment of overall certainty scores fromfirst and second level authentication results generated according to theinvention, from highest to lowest.

FIG. 29 illustrates a tiering of authentication results for differenttypes of source accounts according to the invention.

FIG. 30 illustrates action thresholds for a set of different actionsaccording to the invention.

FIGS. 31-33 illustrate preprocessing and first level authenticationqueries in an example authentication session according to the invention.

FIGS. 34-36 illustrate second level authentication queries in an exampleauthentication session according to the invention.

FIGS. 37-40 illustrate queries used to issue a digital certificateaccording to the invention.

FIG. 41 illustrates a digital certificate generated according to theinvention.

FIG. 42 illustrates a remote authentication system according to theinvention in which authentication is performed in an offline fashion.

FIG. 43 illustrates the offline remote authentication embodiment of theinvention operation when a social security number data field issupplied.

FIG. 44 illustrates the offline remote authentication embodiment of theinvention operating when a social security field is not supplied.

FIG. 45 illustrates a block diagram of an overall system according tothe invention, in another aspect.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The invention in general operates in a network environment and providesa system and method to authenticate a network user's identity using ahierarchy of information queries. The invention may draw on informationfrom one or more data sources to execute the hierarchy of authenticationstages, depending upon the transaction or data sensitivity. Theinvention may dynamically adjust the extent of authentication necessary,based upon preset thresholds or upon tests of input validity as the usersupplies that information.

A front-end preprocessing stage may serve to filter or correct erroneousinformation such as mistaken zip codes, missing digits or other mattersof form so that the transaction may be preserved without needlesstermination before first or second level authentication. At theconclusion of the authentication process, the invention may issue adigital certificate to the user's machine to record authenticationinformation, to present for later transactions or to update. Anillustration of the overall architecture of the invention is in FIG. 45,and flowcharts of the overall processing flow are shown in FIGS. 1 and2.

In terms of the network environment of the invention, in an embodimentillustrated in FIG. 12, client 110 communicates with application server130 over a physical or wireless transmission link 150. Transmission link150 may be a direct Internet connection or include the Internet as anintermediate segment. Transmission link 150 may include a dial-upInternet connection, dial-in server access, an intranet connection, a T1or T3 digital line, an ISDN digital line, LAN connection, a wide areanetwork, Ethernet, DSL connection or other wired or wireless connection.

In an Internet context, application server 130 preferably containsInternet server software (such as the publicly available Apache packageor others) communicating with a browser application resident on client110, which may be a personal computer or workstation running theMicrosoft Windows™ 95 or 98 operating systems, Internet access devicesuch as a WebTV™ unit, or other hardware or software.

The system includes an authentication server 120 on which theauthentication process 10 of the invention is resident and executes.Authentication process 10 may be for instance implemented in programmedmachine instructions, such as in C, C++, Java or other compiled,interpreted or other computer programming languages. In an alternativeembodiment, authentication process 10 may be coresident on applicationserver 130, obviating the need for authentication server 120.Authentication server 120 and application server 130 each may each be aworkstation or personal computer, for instance running the Unix, Linuxor Microsoft Windows™ NT™ operating systems or other hardware andsoftware, and each may communicate with various databases to obtain useridentification information for first and second level authentication.

As illustrated in FIG. 12, such databases may include a credit database160, mail database 170, phone database 180 and one or more otherdatabases 190 which may be directly or indirectly accessible by orresident on authentication server 120 or application server 130. Inaddition, authorization database 152 is associated and communicates withauthentication server 120. Authentication process 10 preferably receivesand stores data to and from the authorization database 152, includingtransaction record 112 (illustrated in FIGS. 13-16) which logs userinput, queries and other information as a temporary or permanent record.

FIG. 12 also shows one or more resources 140 which are accessible toapplication server 130. These may include, for example, databases, othercomputers, electronic memory, CD ROMs, RAID storage, tape or otherarchival storage, routers, terminals, and other peripherals andresources.

According to the invention, a user who wants to access information orprocess a transaction over a network is prompted to submit informationto authentication process 10 through client 110. Authentication process10 invokes the preprocessing step 26, in which the user is prompted tosupply a first type of user identification information. The first typeof user identification information preferably comprises wallet-typeinformation such as name, address, phone number, social security number,driver's license number and other common personal information.

This information is supplied to authentication process 10 viaapplication server 130, in a standard application format, by client 110.In one aspect of the invention, application server 130 may be operatedby an online vendor, such as a brokerage firm, merchandise retailer orother (see e.g. FIG. 45) and serves as a conduit between client 110 andauthentication server 120 once authentication process 10 is invoked. Itis possible however for client 110 and authentication server 120 tocommunicate the requested data directly without passing throughapplication server 130.

The user inputs the first type of information requested into client 110.Data may be queried from the user through textual questions, graphicaluser interfaces (GUIs), hyper text markup (HTML) forms or any othersuitable mechanisms, either in a real-time interactive environment orthrough a batch submission. Selection of the input mode may depend uponvarious factors such as resource loading and availability, businessmodel, user and system traffic and transaction criticality.

Following the initialization of the transaction record 112, theassociation check 24 may be executed. Before entering the preprocessingstep 26, the authentication process may invoke association check 24 toevaluate whether the request under consideration is associated withother requests or attempts, whether recent, concurrent or otherwise. Thepurpose of the association checks is to filter requests suspected to befraudulent or part of an attack of some kind. Pattern recognition(illustrated in FIGS. 17 and 18) may be used to identify requests whichshould be identified as having a fatal defect or potential for fraud,requiring immediate rejection of the request.

In a preferred embodiment, authentication process 10 stores informationreceived through all requests in the authorization database 152, whichstores transaction record 112 logging all input received from the user.Using this information, association checks based upon available data arefacilitated. For example, if one attempt at access includes a name andan associated social security number, a concurrent or later request withthe same name but a different social security number may be denied orflagged for further authentication.

Conversely, if the later request includes a different name but thepreviously submitted social security number, the request may also bedenied or flagged for further authentication. Association checks canexamine any data provided by the user before or during the preprocessingstep 26.

After association check 24, the preprocessing step 26 may occur at oneor more of authentication client 110, authentication server 120 andapplication server 130. Preprocessing step 26 at client 110 may beeffected through the use of, for example, the transmission of Javaapplets to client 110 or through other software resident or executing onclient 110. Thus, although authentication process 10 is shown in FIG. 12to be resident on authentication server 120, portions or all ofauthentication process 10 may be distributed elsewhere.

One advantage of the preprocessing step 26 is that it processes as muchof the requested data as possible before retrieving data from separatelystored data sources such as credit files, which can be expensive interms of processing resources, time and cost. Those separate data filesmay be accessible via the Internet or other networks, may be owned byseparate entities and may involve a per-access charge. The preprocessingstep 26 involves in one regard assuring that data formatting isconsistent between the information supplied by the user and what isexpected in the databases.

Preprocessing step 26 thus helps to ensure that the supplied data is asaccurate as possible to increase the likelihood of generating a matchwhen the user's identity is genuine. This reduces false negatives due toinconsistencies such as supplied nicknames instead of a full first name,contractions, missing titles, or mismatched formatting of socialsecurity numbers applied against known data sources.

If the data supplied by the user is determined to be not feasible,incorrect, or otherwise clearly deficient before soliciting data fromthe separate data sources, it is still possible to proceed to thoseother data sources after the user input has been revised to meet theminimum requirements without interrupting the overall transaction.

If the user does not respond to a request for a mandatory item ofinformation (e.g., name) it is preferable to reprompt the user for thatfield before incurring any database charges or expending additionalprocessing resources. Another example where interception in this manneris beneficial is when a user supplies a six digit social securitynumber. In this case it is clear that the response is deficient and nomatch is possible in the social security number databases, so thosedatabases should not be unnecessarily accessed.

In a preferred embodiment, the preprocessing step 26 may perform one ormore of the following validation checks.

1) Standard Field Checks. To ascertain whether all required informationfields are present and in the proper format and if not, reprompt forthem or reformat them as necessary to proper form.

2) Social Security Check. The input social security number is comparedwith one or more published social security number tables or processedusing one or more algorithms to determine its validity. These tables mayinclude such information as numbers reported as deceased or fraudulent.

3) Address and Telephone Checks. The address and telephone numberprovided are verified for consistency (i.e., city, state, and zip codeagree; area code agrees with state) and the user's address isstandardized. Standardization allows for more accurate matching withother databases at later stages of authentication process 10. During thepreprocessing step 26, rejection or flagging for additionalauthentication may occur as a result of mismatches.

4) Driver's License Validation Check. The input driver's license numberis processed to verify that the number is valid for the state of issue.These algorithms may be obtained through departments of motor vehiclesor otherwise.

The following information is preferably prompted for (R being required,O being optional) by authentication process 10 during preprocessing step26 and supplied by the user:

TABLE 1 DESCRIPTION REQ/OPT Last Name R First Name R Middle Initial 0Suffix 0 Maiden Name, if applicable 0 Current Address (CA) R At CA <2Years Indicator (Y/N) R Former Address R only if At CA <2 YearsIndicator is Y, otherwise Optional Home Phone Number R Area Code ChangeIndicator (Y/N) R Home Phone Published Indicator (Y/N) R Work PhoneNumber 0 Gender R Date of Birth R Social Security Number R DriversLicense Indicator (Y/N) R Drivers License Number (DL) R only if DLIndicator set to Y, otherwise Optional Drivers License State of Issue Ronly if DL Indicator set to Y, otherwise Optional Mother's Maiden Name 0Year of High School Graduation 0 Number of Siblings 0, includes half andstep siblings Email Address 0

Other, non-wallet information, which is used for subsequent levels ofauthentication, can be collected during preprocessing step 26 ordeferred until a later phase of the authentication process 10. A userfailing to supply this information during preprocessing step 26 may bereprompted for it, and processing may or may not continue in the eventthe user never supplies information designated as required. Thisinformation preferably includes:

TABLE 2 DESCRIPTION REQ/OPT Name of Lender R, only if Second LevelAuthentication used Loan Account Number 0 Loan Type Indicator R, only ifSecond Level Authentication used Monthly Payment Amount R, only ifSecond Level Authentication used

Preprocessing step 26 may thus include a set of validation checksincluding standard field checks, social security number validation,address validation, area code validation, and driver's licensevalidation and other preliminary data verification. It is preferablethat preprocessing occur in the order presented, in part due to datadependencies of later checks on the earlier ones. However, it will beunderstood that the order may be rearranged, and different preprocessingchecks may be employed. The enumerated validation checks are discussedin more detail in order below.

First, standard field checks preferably occur at client 110, where andwhen the requested data is collected, to ensure that all required datais present and all provided data is in the proper format and meetsminimum requirements. Completing this processing at client 110 minimizesthe number of requests that must be terminated at this early point inthe authentication process due to formally incorrect data. This isparticularly important when the user is not present at the time ofauthentication, such as when requests are submitted in batch form ratherthan interactively. In general, the standard field checks make sure thatan expected range or format of characters are input by the user,appropriate to individual queries and data types.

The following is preferably accomplished during standard field checks:

1) All required fields must be present.

2) All provided fields must be in the proper format.

First name must have at least one letter provided.

Phone numbers must have 10 digits.

Social security number must have 9 digits.

Social security number must not have all 9 digits the same.

Social security number's first 3 digits must not be equal to 000.

Social security number's 4^(th) and 5^(th) digits must not be equal to00.

Social security number's last 4 digits must not be equal to 0000.

3) Specified fields must meet additional requirements.

Age, derived from date of birth, must be 18 years old or older.(However, a telephone number and drivers license may still be verified,even if a credit file is not available)

Email address must contain an @ sign and a “.com” or other domain.

The user is preferably afforded up to two additional attempts to correctany fields that do not meet the standard field check requirements. Ifany field cannot be corrected after a total of three attempts, theauthentication process 10 is preferably aborted. If the request has beensuccessfully completed as determined by the standard field check portionof preprocessing step 26, the request may continue to the nextpreprocessing check.

At that next stage of standard field checks, the social security numbermay be checked for some or all of the following:

Social security number contains 9 digits

Social security number ≠ 000000000, 11111111, . . . , 999999999.

Social security number first 3 digits ≠ 000

Social security number 4th and 5th digits ≠ 00

Social security number last 4 digits ≠ 0000

Social security number does not match any social security number foundon the Social security number fraud table.

Social security number is in the issued range as determined by a lookupon the social security number range table.

Date of birth agrees with the social security number issue dates.

The check against the published social security number fraud table isused to ensure that the supplied social security number is not listed asfraudulent. Such a table may be obtained from any of a number of sourcesincluding, for example, credit reporting companies or law enforcementagencies. The social security number range table is used to ensure thatthe supplied social security number is not an invalid number. Such atable may be obtained from any of a number of sources including, forexample, governmental agencies.

Once it has been determined that the social security number has beenissued, and a range of issue dates is known, the date of birth providedon the request can be compared to the date range for consistency. It isthus possible to perform another check to ensure that the socialsecurity number is valid based upon date of birth information.

The user is preferably given only one additional attempt to correctsocial security number information that has been rejected by socialsecurity number validation checking. If the social security numbercannot be accepted after a total of two tries, authentication process 10is preferably aborted.

Next, the validity of address information is confirmned, preferablyusing an address correction and standardization package (such as thePostalSoft package available from First Logic Corp.). For currentaddress, and former address if provided, the package may:

Verify that the city, state and zip code agree. If only a city and stateare provided, the package may be able to add the zip code. If only a zipcode is provided, the package usually can add the city and state.

Standardize the address line. The package can correct misspelled streetnames, fill in missing information and strip out unnecessary punctuationmarks and spaces.

Identify undeliverable addresses (i.e., vacant lots, condemnedbuildings, etc.).

Create a status code that tells how an input address had to becorrected.

Create an error code that tells why an input address could not bematched, or assigned.

Responses, or actions, for each of the possible address-related statuscodes or error codes in error code matrix 156 (illustrated in FIGS.9-11) are provided as output during the preprocessing step 26. The useris preferably given only one additional attempt to correct each addressthat has been rejected by address validation. If the address cannot becorrected after a total of two attempts, the request proceeds asdesignated in the response matrix 154 illustrated in FIGS. 9-11. Theresponse matrix 154 may be located on authentication server 120, inauthorization database 152 or elsewhere and serve to associate messageswith test results and transaction records during the address portion ofpreprocessing step 26, concurrently with overall application processing.

In other words, the response matrix 154 sends messages to client 110based upon specific verification tests or based upon the current statusof the transaction record 112. For example, the message may prompt theuser to verify that data which was input is correct or a message todirect the user to call customer service for manual intervention. Theresponse matrix 154 is preferably parameter driven, so that appropriatemessages can be associated with particular events.

The area code for the home phone number is preferably checked todetermine if it is valid for the state supplied in the current address,in preprocessing step 26. The area code and state provided in connectionwith the request are compared with an entry for the area code in an areacode table, available from database and other sources. The area codetable contains area code information for each of the area code locationsin the geographic area being served.

The database for the area code and associated information may bepreferably implemented, for example, using the commercially availableMetroNet package. The phone number database information may be stored inphone database 180 connected to authentication server 120, or otherwise.The consistency of area code to state of residence may, for instance, bechecked.

The user is preferably given only one additional attempt to correct homephone number information that has been rejected by the area codevalidation check. After the home phone number has been accepted or aftera total of two tries, the process indicates the result, valid or notvalid, in the transaction record 112 and proceeds.

Next, the drivers license number is checked to ensure that the format ofthe number is consistent with the format for the state of issue. Analgorithm may look up the state of issue and compare the driver'slicense number provided in the request with the accepted format for thestate. The user is preferably given only one additional attempt tocorrect driver's license number information that has been rejected bythe driver's license check (or may be terminated immediately, accordingto vendor preference). After the driver's license number has beenaccepted or after a total of two tries, the authentication process 10indicates the result, valid or not valid, in the transaction record 112and proceeds.

In the event the user will be paying for a product or service with acredit card, authentication process 10 may invoke credit cardverification at this point. In this case, checks may be executed againsta credit card database. These checks may include ensuring that theavailable credit line is sufficient to make the purchase, ensuring thatthe billing address for the credit card in the database matches thesubmitted address, and ensuring that the credit card is not stolen.Databases presenting this sort of information are commerciallyavailable.

Preprocessing step 26 thus may include internal corrections as well ascomparisons of user-supplied data to known data which may be obtainedfrom separate sources. Those sources may be third party databases suchas commercial or government databases, or internal databases.Preferably, however, preprocessing step 26 is limited to checkinguser-supplied data against wallet-type data which is relativelyconveniently, and locally, accessed. Preprocessing step 26 consequentlyoffers increased certainty of authentication by using additionaldatabases and requiring internal consistency as a predicate to first andsecond level authentication.

In conjunction with the checks carried out by preprocessing step 26,credit database 160 may be any suitable consumer credit history databaseavailable from various sources including credit reporting companies suchas Equifax™. Mail database 170 and phone database 180 may be anysuitable databases providing address and telephone information for therelevant geographic area (e.g., MetroMail which is a compendium ofregional Bell operating company-supplied information). Other databases190 may include, for example, a check services drivers license databasewhich provides information concerning check validity. Any commerciallyavailable or internal database or others may be employed in processingthe verification substeps of the preprocessing step 26.

Additionally, the checks of preprocessing step 26 may include the use ofa credit card application fraud model, or some other model whichstatistically analyzes response data. For example, the data supplied bythe user may be modeled and graded for confidence level based uponempirical models supplied by third party vendors or availableinternally. An illustration of pattern recognition criteria that may beemployed in this regard by the invention is illustrated in FIGS. 17 and18. As illustrated in those figures, in general the invention monitorsuser input recorded in transaction record 112 or otherwise forrepetitive attempts at authentication, which may represent attemptedfraud or some type of network attack.

In such instances, and as illustrated in pattern recognition criteriamatrix 904 shown in FIG. 17, the input may include valid portions ofinformation such as a social security number but varying unsuccessfulattempts to find valid input for other fields. At any time duringauthentication process 10, the invention may preempt the authenticationevent and terminate the session when pattern recognition senses asignificant probability of irregularity. Different responses todifferent types of detected potential fraudulent transactions are shownin the pattern recognition match action matrix 912 of FIG. 19. Asillustrated in the figure, different types of inconsistencies may resultin different actions, including the locking out of suspected fraudulententries for such patterns as the same name under varying emailaddresses. Other inconsistencies may result in the starting of theauthentication process 10 over again (QILT entries) at user request.

In a preferred embodiment of the invention, the data supplied by theuser must match a record from at least two data sources to graduate fromthe preprocessing step 26. This increases the level of certainty thatthe user's identity is genuine before graduating from that stage.Matching routines, implemented for each data source and type of check,compare query data to known source data and preferably assign a value toevery match instance. This value may be termed an authenticity certaintyscore. An authenticity certainty score may be accumulated based upon thecollective values assigned for each match instance of preprocessing step26. The authenticity certainty score may be employed and comparedagainst predetermined thresholds to determine the next action for therequest (i.e., approve, approve with restrictions, deny, go to first orother level preprocessing).

If the data provided by the user does not meet the requirements of someor all of the checks of preprocessing step 26, a message may be returnedto the user via link 150 requesting the data in question be correctedand resubmitted. Upon resubmission, the input data will again beanalyzed. Alternatively, authentication process 10 may be preconfiguredto immediately reject a request based upon a failure to satisfy aminimum level during preprocessing step 26.

If the request is identified as a result of the association check 24 orother analysis as possibly fraudulent using the association check orotherwise, a message may be returned to client 110 indicating that therequest cannot be processed automatically and that manual processingsuch as calling customer service is necessary.

Biometric data may be employed either alone or in combination with theabove preprocessing as well as subsequent authentication levels toensure the identity of a user. That biometric data may include, forexample, fingerprint information from the user, captured in analog ordigital form, for instance, via an imprint peripheral connected toclient 110. Biometric data may also include infrared or other retinal oriris scans, or finger or hand geometry matches. Likewise, biometric dataused by the invention may also include handwriting recognition, voicerecognition using digitized sampling or other means or facialrecognition input from video or other devices.

The biometric data may also include DNA database matching. In general,any biometric technology now existing or developed in the future may beincorporated in the invention. The biometric data may be used as inputfields or records in the preprocessing, first or second authenticationlevel stages. Alternatively, biometric data may be used as a key tounlock and release a digital certificate 902 issued to the user, to bestored on client 110 or otherwise.

FIG. 1 is a flowchart illustrating the overall authentication processaccording to the invention. Authentication process 10 starts at step 12.The authentication process 10 prompts a user for first level informationat step 14. Again, the first type of information is preferablywallet-type information, that is, information such as name, address,driver's license or other information commonly carried on the person.The user inputs that first level information via a keyboard, mouse,voice digitizer or other suitable input mechanism at step 16. Step 18identifies that the user has completed first level information input.Step 20 transmits the input. The transaction record 112 is initializedat step 22.

Step 24 performs an association check on the information input by theuser. Authentication process 10 may then invoke the preprocessing step26 discussed above. If preprocessing step 26 is included, step 28 mayalso be provided, which determines whether preprocessing step 26 iscomplete. If preprocessing step 26 is not complete, authenticationprocess 10 may return to step 14 to prompt the user for omitted,corrected or additional information, return to step 16 to allow the userto input information, or end authentication process at step 30. Ifpreprocessing step 26 is complete, authentication process 10 proceeds tostep 32 of first level authentication.

Authentication process 10 matches, at step 32, the first type ofinformation input by the user with information received from one or moreseparate data sources. Based on that comparison, authentication process10 determines whether the first level authentication is complete at step34. If the first level authentication is not complete, authenticationprocess 10 may return to step 14 to prompt the user for omitted,corrected or additional information, return to step 16 to allow the userto input information, or end authentication process at step 36.

If the first level authentication is complete, authentication process 10determines at step 38 whether the user should be authenticated. If theuser has not been rejected outright but has not yet been authenticated,authentication process 10 proceeds to step 40, second levelauthentication. Step 40 request and tests the user's input of a secondtype of information, which is preferably non-wallet type information.

Authentication process 10 determines whether a request for informationhas been repeated more than a predetermined number of times at step 42.If the attempt exceeds the predetermined limit, authentication process10 ends at step 44. If the attempt does not exceed the predeterminedlimit, authentication process 10 determines whether step 40 is completeat step 46. If step 40 is complete, authentication process 10 renders anauthentication decision at step 48, then ends at step 50. If step 40 isnot complete, authentication process may return to step 38 or end atstep 47.

FIG. 2 is a flowchart illustrating the process of the first levelauthentication step 32 in more detail. First level authenticationprocess 32 initiates at first level comparing step 52. The first levelcomparing step 52 compares the information input by the user withinformation about the user retrieved from one or more known datasources. The user may be queried in the first level authentication step32 for similar information to that accepted during the preprocessingstep 26, or for refined or additional information. During processing ofany user-input phone number information in the first levelauthentication step 32 after preprocessing step 26 (but preferably notin preprocessing step 26 itself), if the user indicates that they havebeen at the home telephone number for less than four months, the hometelephone number and related source information may be preferablyfurther checked against an electronic directory assistance source, forbetter currency as compared to an offline database. During processing ofany user-input driver's license information in the first levelauthentication step 32 (but preferably not in preprocessing step 26),any further checks against the driver's license database may bepreferably implemented, for example, using the commercially availableChoicePoint drivers license database. Information from that externaldatabase is generally derived from official department of motor vehiclerecords or insurance claims information, the content of which may varyby state of issue. Step 54 assigns values and priorities to eachresponse input by the user. Information that is of greater significancemay be assigned a higher value or priority.

The transaction record 112 (illustrated in FIGS. 13-16) initialized instep 22 is used throughout the authentication process 10 to keep trackof user input and authentication results. After the appropriate querieshave been processed and all results stored in the transaction record112, the transaction record 112 is used to determine an authenticationscore with respect to the request. Step 56 calculates the totalauthentication score, and optionally, a score for each data source, datafield, etc. The results are categorized as a big hit (B), a regular hit(R), a possible hit (P), or no hit (N) depending on results. Thoseresults may then be combined with the results of second levelauthentication process 40 to determine an overall authenticity certaintyscore, as illustrated in FIGS. 23-28 and discussed below.

Authentication process 10 determines whether one or more of theauthentication scores is greater than or equal to a predeterminedauthentication value or threshold at step 58. If the authenticationscores are greater than or equal to the predetermined authenticationvalue, authentication process 10 renders an authentication decision atstep 60 and then ends at step 62.

If one or more of the scores are less than their correspondingpredetermined authentication value, authentication process 10 determineswhether the level of certainty meets a predetermined certainty level atstep 64. If the level of certainty is below the predetermined certaintylevel, authentication process 10 ends at step 66. Otherwise,authentication process 10 determines whether corrected or additionalfirst type information is needed at step 68. If no other information isneeded, authentication proceeds to step 40, second level authentication.If user input information needs to be revised, authentication process 10may return to step 14 or step 16.

FIGS. 31-33 illustrate a set of queries associated with preprocessingstep 26 and first level authentication 32 in an example authenticationsession according to the invention. As can be seen in the figures, thesephases of the invention query for and process wallet-type information toreach a first level of confidence about the genuineness of the user'sidentity.

FIG. 3 is a flowchart illustrating the second level authenticationprocess 40 in more detail. Second level authentication process 40 beginswith step 310. Step 310 accesses available second type information fromdata sources, such as a credit file. Step 312 prompts the user forsecond type information from within that determined to be available instep 310. Step 314 determines whether the user input matches theaccessed information.

In the execution of second level authentication process 40,authentication server 120 may access credit database 160. Creditdatabase 160 may be preferably implemented, for example, using acommercially available Equifax™ consumer credit file, in the ACRO fileformat.

Inquiries may be transmitted back and forth between application server130 and authentication server 120 during second level authenticationprocess, using the System-to-System 93 (STS) inquiry format for thesetypes of data files, as will be appreciated by persons skilled in theart. Credit line information returned from credit database 160 may be inSystem-to-System file fixed format (FFF), consistent with the ACRO fileconfiguration. Second level authentication process 40 executes thesearch against credit database 160 to match the user's input againstdata in that file.

The search maybe carried out according to the ACRO L90 search format,with results again categorized as a big hit (B), a regular hit (R), apossible hit (P), or no hit (N) depending on results, which in oneembodiment are returned to authentication server 120 starting in ACROheader segment position 285 in a 13 byte segment. Matches or no matchesare returned as logical flags within that header segment.

If the information matches, authentication process 10 either provides ahigher degree authentication in step 316 or issues another degree ofauthentication in step 318. If the information does not match,authentication process 10 may issue a lower degree authentication,return to step 312 or end at step 324.

An example of point scoring used in second level authenticationaccording to the invention is illustrated in FIGS. 20 and 21. Thescoring matrix 906 of FIG. 20 includes a set of point values for pointvalues related to trade line accounts which the user may have, on asliding scale according to the relative degree of significance ofvarious accounts. In general, and as indicated in the relative weightmatrix of FIG. 21, the proper identification of a lender name is givengreater weight compared to monthly payment amount or terms of accountdata.

In FIG. 22, the resulting certainty scores are ranked according to fourcategories of big, hit (B), regular hit (R), probable hit (P), and nohit (N). Different combinations of accounts may lead to differentmaximum scores, according to the reliability or significance of theaccounts available for second level authentication step 40.

Upon completion of both the first level authentication step 32 andsecond level authentication step 40, results of all checking may beassembled to determine an overall authenticity certainty score, valuesfor which are illustrated in the overall certainty scoring matrix 918 ofFIGS. 23-28. In general in those figures, big hits on credit file(second level authentication) checks contribute to higher overallcertainty scores, which are normalized to 0 to 100. However, preferablyno single check qualifies or disqualifies a user from authentication.

Rather, according to the invention the aggregate weighting of all theuser's response is factored into a variety of possible score ranges,depending on how highly the information they supplied correlates to theentire collection of data sources used by the invention. The scoringlevels may be aggregated as show n in the assignment matrix 920 of FIG.29 to develop a tiered categorization (B, R, P, N) for all levels ofauthentication, and generate responses according to threshold table 922as illustrated in FIG. 30. While particular numerical levels are shownin those matrices, it will be appreciated that the different scores andtiers are selectable or scalable according to application needs, in theinvention.

FIGS. 34-36 illustrate a set of queries in screen shot form associatedwith second level authentication step 40 in an example authenticationsession according to the invention. In general, at this stage theauthentication process 10 identifies and accesses trade (credit) lineinformation to query for data of a specific and private nature, whichenhances the security profile of the user. In the example shown, bothcredit and merchant or trade line accounts are queried for lenderidentity and amounts. Accurate identification results in authentication,followed by issuance of a digital certificate 902 as desired.

The system and method of the invention are customizable to allow avendor operating an authenticating server 120 to set various parameters,including the thresholds or predetermined levels at different points ofauthentication process 10. If the predetermined authentication orcertainty level has not been reached for a particular data source ordata field, the user may not be eligible for authentication, or a higherdegree of authentication.

If a user successfully completes preprocessing, first and secondauthentication, in one embodiment the invention may issue a digitalcertificate 902 to the user, as illustrated in FIGS. 37-41. Asillustrated in FIGS. 37-40, after an indication of successfulauthentication the user is directed to input identification andchallenge or password information to generate and store digitalcertificate 902. The digital certificate 902 contains a set of fieldsincluding user identification, a digital certificate serial number, anexpiration period, as well as information related to the issuer of thedigital certificate and fingerprint data for the digital certificate.

The digital certificate 902 may be preferably stored in secure fashionon client 110, that is, protected by user identification and challengeor password queries before the recipient can release the digitalcertificate 902 for further transactions, as illustrated in FIGS. 37 and38. Digital certificate 902 may be a data file stored in common machinereadable format that upon proper release by the user can be presented toother authentication servers for later transactions, as evidence ofidentity and avoiding the need to reauthenticate the user for laterevents. As illustrated, digital certificate 902 contains an expirationfield, but the certificate can be generated to persist indefinitely.

Digital certificate 902 may be updated using a full or abbreviatedauthentication process 10 according to the invention, according to thegrade of security required for particular future transactions. Forexample, a digital certificate 902 may be issued recording a mediumgrade of confidence of the user's identity, but to execute a sensitivetransaction, the user may need to update and upgrade the digitalcertificate 902 to perform that later transaction.

Although illustrated with two levels of authentication processing, itwill be understood that the invention contemplates three or more levelsof authentication performing additional checks using additionaldatabases or prompting the user for more information, when appropriateto transaction requirements. Any of the levels of the authenticationprocess 10 may be implemented via an interactive query format, e.g.,using a multiple choice check-off box. At no time during presentation ofthe interactive query is the user presented with potential answersrevealing only correct information, so that identification informationcannot be captured simply by entering authentication process 10.Moreover, in the implementation of the invention it is possible tofollow the entire authentication process 10 with a consumer profilingstep, in which the now-authenticated user identity is associated withpurchase, travel, geographic and other information to enable more highlytargeted marketing or transaction activity.

In general, in the execution of the authentication process 10 of theinvention, answers to the interactive query questions are given highestrelative weighting, followed by authentication checks against a user'scredit file, followed by telephone information and then driver's licenseinformation.

As shown in FIG. 4 and described above, the preprocessing step 26 may beconducted before the hierarchy of authentication levels and includeseveral preliminary procedures, mainly designed to ensure consistency informat. Discussion will return to preprocessing step 26 to describe thepreprocessing stage in more detail in conjunction with FIGS. 5-8. Itwill be understood that various combinations of standardization 400,formatting verification 410, verifying consistency 420, and verifyingdata validity 430 may be incorporated into the preprocessing step 26. Asillustrated in FIG. 1, after preprocessing step 26 is executed adecision 28 is made whether authentication should proceed. The decision28 may result in a return to initial step 14 or an end to the automatedauthentication process 10 at step 30.

If preprocessing step 26 includes a formatting verification 410, thefollowing process may be followed. The user input data is checked atstep 500 to determine that it is properly formatted. For example, thedata may be checked to verify that the required fields have been entered(e.g., user name) or that the proper number of characters have beenentered (e.g., nine digits for a social security number). If the resultof the decision step 500 is that the data is not in the proper form, adetermination is made at step 510 whether the user has been prompted forthis information previously.

The authentication process 10 may be configured to allow a predeterminednumber of chances for the user to input data in the correct format. Ifthe number of attempts exceeds the predetermined number, the process mayterminate at step 520. If the predetermined number of chances has notbeen exceeded, the user may be prompted to input the data in the correctformat at step 530. If the data is in the correct format, the processproceeds to step 540.

FIG. 6 depicts the process for standardization 400 of the data. At step600 a determination is made whether the data is in the proper standardform. For example, the user's postal address may be checked formisspelled street names, or unnecessary punctuation. If thedetermination 600 finds the data to be non-standard, a determination 610is made whether the non-standard data can be corrected. If the data canbe corrected, it may be accomplished at step 620 by internal or otherprocesses. If the data cannot be corrected, a determination is made atstep 630 whether the user has been prompted for this informationpreviously.

The authentication process may be configured to allow a predeterminednumber of chances for the user to input data in the correct format. Ifthe number of attempts exceeds the predetermined number, the process mayterminate at step 640. If the predetermined number of chances has notbeen exceeded, the user may be prompted to input standard data at step650. If the data is in standard form, the process proceeds to the step660.

FIG. 7 depicts the process for determining the validity 430 of the data.For example, the validity may be verified by determining at step 700whether the data is valid (e.g., does the social security number matchany social security number found on the published deceased or fraudulenttable). If the determination is made that the data is invalid, adetermination 710 is made at step 710 whether the user has been promptedfor this information previously. If the number of attempts exceeds thepredetermined number, the process may update the transaction record atstep 720 to reflect the presence of the invalid data.

After the transaction record 112 is updated in step 720, an additionaldetermination is made at step 730 of whether the process can proceedwith this invalid data. If not, the process may terminate at step 740.If it can, the process may proceed to step 750. If the predeterminednumber of chances has not been exceeded, the user may be prompted toinput valid data at step 760. If the data is valid, the process proceedsto step 750.

A similar process may be followed to determine whether the data isconsistent at step 420, as illustrated in FIG. 8. In step 760, thedetermination is made whether the data from separate field entries areconsistent. For example, data may be checked to verify that the areacode entered matches the zip code entered. If the determination is madethat the data entered by the user is not consistent, a determination ismade at step 770 whether the user has been prompted for this informationpreviously. If the number of attempts exceeds the predetermined number,the process may update the transaction record 112 in step 780 to reflectthe presence of the inconsistent data.

After the transaction record 112 is updated 780, an additionaldetermination is made at step 790 of whether the process can proceedwith this inconsistent data. If not, the process may terminate at step800. If it can, the process may proceed to step 810. If thepredetermined number of chances has not been exceeded, the user may beprompted to input valid data at step 820. If the data is valid, theprocess proceeds to step 810 and the next preprocessing check.

FIGS. 9-11 show an example of the use of a matrix to verify addressinformation in processing validity 430 or consistency 420. As shown, theverification process, which may be implemented using the commerciallyavailable PostalSoft, generates a matrix of address values to determinecertain address information. FIG. 10 shows an example of certain errorcodes which may be generated to prompt user responses according toPostalSoft format when entered values, such as zip code, are not inproper format. FIG. 11 shows an example of certain actions and messagesaccording to other types of data entered during processing forconsistency 420.

Generally speaking, there are several ways to administer the queries atthe various levels of authentication of the invention, depending uponthe requirements of the transaction. If the user is available at thetime of application for an interactive dialog (e.g., Internet request),a multiple choice questionnaire is preferably dynamically created byauthentication process 10 and presented to the user, through client 110,for completion.

Multiple choice alternatives for each question are preferably selectedbased upon the regional biases of the user, if applicable, and aredesigned to make it difficult for a fraudulent applicant to correctlyguess the answers. That is, potential selections for various credit lineor merchant account providers are provided in the same generalgeographic region as the user's home address, so that credit lineaccount vendors are not obviously wrong based on location. The userpoints and clicks on their selections, or provides answers in some othersuitable way. The user-supplied answers are then returned toauthentication process 10 by client 110 for automated evaluation.

If the user is not present at the time of application (e.g., batchsubmission), the information required to administer validation isprovided on the initial application. If the user supplies accountnumbers, second level authentication step 40 will attempt to make thecomparisons automatically. However, if the comparisons cannot be madeautomatically or the account numbers are not provided, the comparisonsmay be accomplished manually through human intervention. The results arereturned to second level authentication step 40 for final evaluation.

FIG. 18 illustrates an example authentication carried out according toauthentication process 10 of the invention. In general, as illustratedin that figure, the user presents name, social security number, date ofbirth, email and mailing address information, followed by home telephonenumber and driver's license data. That information is accepted andprocessed through preprocessing step 26 and first level authenticationstep 32, after which it is determined that the data are consistent andmerit proceeding to second level authentication step 40.

In second level authentication step 40, a sequence of questions arepresented in an interactive query directed to mortgage accountinformation, requesting lender and amount information followed by othermerchant account information. Following successful authentication, theuser is asked whether they wish to generate digital certificate 902,which is generated recording the successful authentication andprotecting the digital certificate 902 by way of identification andchallenge question data.

Any or all of the processing steps described above can be invokedselectively or rearranged to constitute a complete authenticationprocess 10. The requirements of the transaction will determine whichprocesses to combine for particular authentication needs. It is possibleto configure several different implementations as standard offerings.The party employing the authentication system (vendor) can either usethese standard offerings, or customize a configuration to their needs.With any implementation, the invention allows flexibility in determiningcertainty of authenticity, either through process configuration orsetting certainty thresholds.

In the practice of the invention, in the event of temporary downtime orother unavailability of any of the data sources used for comparison, theinvention may revert to a backup source for that particular type ofinformation (which may be generally consistent but not as current),substitute another data source, or take-other action.

FIG. 42 illustrates an offline remote authentication embodiment of theinvention, in which some processing including delivery of a validated IDis conducted using ordinary mail. As illustrated in FIG. 42, in thisembodiment, a remote authentication system 1002 controls two processingobjects, a remote authentication object with a social security numberfield 1004, and a remote authentication object without a social securitynumber field 1006. The remote authentication system 1002 invokes theremote authentication object 1004 when a user has presented a socialsecurity number, in an online application for a credit or othertransaction. The remote authentication object 1004 may invoke thepreprocessing step 26, to process standard field checks as in the otherembodiments above. In this embodiment, in part because of therequirements for mail delivery, failure of one or more data fields foraddress standardization, such as zip code errors, blank fields, foreignaddresses, and undeliverables may result in a failure state 1018. Thefailure state 1018 may also be reached when age is less than apredetermined level, or standard social security checks as describedabove are not met. Other factors which may result in a failure state1018 include mix matches concerning telephone numbers, social securitynumbers and fraud victim indicators present in a credit file.

If the remote authentication object 1004 determines that the user hasachieved a sufficient score during preprocessing step 26 and any furtherprocessing steps, the pass state 1008 may be reached. Online issuance ofa digital certificate 902 or other authentication may ensue. However, ifthe remote authentication object 1004 determines that the user's scorelies between those designated for a pass state 1008 and a failure state1018, the remote authentication object may offer an offlineauthentication state 1010, in which verification is transmitted usingregular mail.

In this condition, offline authentication state 1010 invokes mailabilityfilter 1012, which tests for matches on first initial, last name, ahouse number and zip code from at least one address database, as well asconsistency of age and year of birth and a social security number whichis either valid or shows no more than a small number of digittranspositions. Other criteria may be applied. If a sufficient score isreached in the mailability filter 1012 processing, a mail state 1014 isreached in which the entered addressing information is used to transmita PIN or other identification information to the user via regular mail.If a sufficient score is not reached in the mailability filter 1012, afailure state 1016 is reached, no verification is sent by mail andprocessing terminates.

If a user fails to supply a social security number, as illustrated inFIG. 42 control is passed to remote authentication object 1006, whichmay apply the preprocessing step 26 and further steps to test inputteduser information. If the inputted user information does not reach apredetermined threshold, control passes to a failure state 1022. If asufficient authentication score is reached, processing proceeds tooffline authentication object 1020. Offline authentication object 1020invokes mailability filter 1024 which processes the user-supplied inputwithout a social security number to determine whether addressstandardization, age-related, address-related, or fraud flags arepresent. If a sufficient authentication score is reached in mailabilityfilter 1024, control passes to the mail state 1026, in which a valididentification PIN is transmitted to the user at the entered addressusing regular mail. Conversely, if mailability filter 1024 is notsatisfied, a failure state 1028 is reached in which no material ismailed and processing terminates.

An embodiment of the remote authentication system 1002 is illustrated inmore detail in FIG. 43, in which a social security supply object 1030tests whether the user is capable of providing a social security numberfield. If the user is capable of providing a social security numberfield, control proceeds to pass test module 1032, which may performpreprocessing step 26, first level authentication step 32, second levelauthentication step 40 or other processing. If the user passes thoselevels of authentication with a sufficient score, control passes to anearned icon state 1034, providing the user with an online authenticationicon, digital certificate 902 or other issued verification.

If the pass test module 1032 is not passed, a fatal error object 1036may test for fatal errors in social security, address, age-related orother desired data fields. If fatal error object 1036 does not detect afatal error, control passes to a mailability filter 1038 which tests formailability using zip code and state, name, deliverability and otherfield checks, after which a mail state 1040 is entered if the user hassuccessfully established reliable information. After mail state 1040 isentered, both the PIN may be mailed via regular mail and a user iconissued in earned icon state 1042. Conversely, if either the fatal errorobject 1036 or mailability filter 1038 are not satisfied with theinformation the user has entered, a failure state 1044 is entered, andprocessing ends without transmitting an ID via mail or an icon beingissued.

As illustrated in FIG. 44, alternatively if the user is not capable ofsupplying a social security number to social security test object 1030,then control passes to fatal error object 1046. If no fatal error isdetected by fatal error object 1046, control is passed to mailabilityfilter 1048, which tests for deliverable mailing information, as above.If mailability filter 1048 is satisfied, the mail state 1050 is reachedin which a regular PIN identification is mailed via mail to the user,after which an earned icon state 1052 is reached, issuing the user anonline icon identification. Conversely, if either the fatal error object1046 or mailability filter 1048 are not satisfied, a failure state 1054is reached, and processing ends.

The foregoing description of the authentication system and method of theinvention is illustrative, and variations in construction andimplementation will occur to persons skilled in the art. For instance,while the invention has been generally described as involving a singleuser supplying authentication information in a single interactivesession or alternatively in batch mode, both queries and user input maybe provided at different times using different input modes, when thetransaction allows. This may be the case for instance when thetransaction involves setting up an online subscription to publicationsor services.

For further example, while the invention has been described in aclient/server environment in which a user initiates a transaction usinga personal computer or other device over a computer network, the usercould initiate the transaction over other networks. The user forinstance could conduct a transaction using a cellular telephone equippedwith an alphanumeric display which permits the user to keypad data inover the mobile cellular network.

For yet further example, while the invention has been illustrated interms of an individual consumer initiating a network transaction, theinvention can also verify the identity of other entities such ascorporations, schools, government units and others seeking to transactbusiness over a network. Those entities can be international in nature.The scope of the invention is accordingly intended to be limited only bythe following claims.

What is claimed is:
 1. A method of controlling access to anonline-provided service hosted on a host system, comprising: (a) firstquerying a user, who is operating a user system, about a first type ofinformation; (b) determining the extent to which the user correctlyanswers the first query; (c) if the user sufficiently correctly answersthe first query, second querying the user utilizing credit relatedinformation about the user wherein credit related information: (i) isstored on a credit reporting system other than the user system or thehost system; and (ii) originates from a plurality of the user'screditors who report to the credit reporting system credit relatedinformation about the user; (d) in real time, determining the extent towhich the user correctly answers the second query; and (e) in real timeand on-line, determining whether to grant or deny the user access to theon-line provided service based at least part on the extent to which theuser correctly answers the second query.
 2. The method of claim 1,wherein the first type of information includes at least one of thefollowing: wallet type information, non-wallet type information, creditrelated information about the user, or biometric data of the user. 3.The method of claim 1, wherein element (b) further comprises: (i)retrieving user identification information from a data source; (ii)comparing the first type of information supplied by the user with useridentification information retrieved from the data source; and (iii)determining a level of correspondence between the first type ofinformation supplied by the user and the user identification informationretrieved from the data source.
 4. The method of claim 3, wherein thedata source comprises credit-related information of the user.
 5. Themethod of claim 3, wherein the data source comprises anon-credit-related information of the user.
 6. The method of claim 3,wherein the data source comprises a plurality of data sources.
 7. Themethod of claim 3, wherein element (b) further comprises: (iv) comparinga response pattern of the user to a scoring matrix with at least onescore corresponding to the relative degree of confidence in apredetermined user response pattern; and (v) determining whether to denyor grant further access to the host system service based upon theresponse pattern of the user.
 8. The method of claim 1, wherein element(d) further comprises: (i) generating an authenticity certainty scorebased upon at least one value stored in a scoring matrix.
 9. The methodof claim 8, wherein the scoring matrix includes a set of point valuesaccording to the relative degree of significance of the credit relatedinformation.
 10. The method of claim 8, wherein the scoring matrixincludes a set of point values according to the relative degree ofreliability of the credit related information.
 11. The method of claim1, wherein element (d) further comprises: (i) generating an authenticitycertainty score based upon a collective set of values assigned formatching a user's answer to the first query and for matching a user'sanswer to the second query for credit related information about theuser.
 12. The method of claim 1, wherein element (d) further comprises:(i) generating an authenticity certainty score based upon a collectiveset of values assigned for matching a plurality of user's answers to asecond query for credit related information about the user.
 13. Themethod of claim 1, wherein element (d) further comprises: (i) comparinga response pattern of the user to a scoring matrix with at least onescore corresponding to the relative degree of confidence in apredetermined user response pattern; and (ii) generating an authenticitycertainty score to determine whether to deny or grant further access tothe host system service based upon the response pattern of the user. 14.The method of claim 1, wherein the credit reporting system comprises aplurality of credit reporting databases.
 15. The method of claim 1,wherein the host system communicates with the user system and thecredit-reporting system via the Internet.
 16. A method of authenticatinga user in real time operating a user system to access an on-lineprovided service hosted on a host system, comprising: (a) querying theuser about a first type of information; (b) determining a correspondencebetween the user's response and the query about the first type ofinformation; (c) if a sufficient correspondence exists between theuser's response and the query about the first type of information,querying the user about credit related information, wherein the creditrelated information: (i) is accessed by a credit reporting systemseparate from the user system and the host system; and (ii) originatesfrom a plurality of user's creditors reporting credit relatedinformation about the user to the credit reporting system; (d)determining a correspondence between the user's response and the queryfor credit related information; and (e) if a sufficient correspondenceexists between the user's response and the query about thecredit-related information, granting or denying the user access to theon-line provided service.
 17. The method of claim 16, wherein element(d) further comprises: (i) generating an authenticity certainty scorebased upon at least one value stored in a scoring matrix.
 18. The methodof claim 17, wherein the scoring matrix includes a set of point valuesaccording to the relative degree of significance of the credit relatedinformation.
 19. The method of claim 17, wherein the scoring matrixincludes a set of point values according to the relative degree ofreliability of the credit related information.
 20. The method of claim16, wherein element (d) further comprises: (i) generating anauthenticity certainty score based upon a collective set of valuesassigned for matching a user's response to the first query and formatching a user's response to the second query for credit relatedinformation about the user.
 21. The method of claim 16, wherein element(d) further comprises: (i) generating an authenticity certainty scorebased upon a collective set of values assigned for matching a pluralityof user's responses to a second query for credit related informationabout the user.
 22. (New) The method of claim 16, wherein element (d)further comprises: (i) comparing a response pattern of the user to ascoring matrix with at least one score corresponding to the relativedegree of confidence in a predetermined user response pattern; and (ii)generating an authenticity certainty score to determine whether to denyor grant further access to the host system service based upon theresponse pattern of the user.
 23. The method of claim 16, wherein thecredit reporting system comprises a plurality of credit reportingdatabases.
 24. The method of claim 16, wherein the host systemcommunicates with the user system and the credit-reporting system viathe Internet.
 25. A method of verifying an identity of a user inreal-time by accessing an on-line service via a user system, wherein theon-line service is provided by a host system, and the host systemcommunicates with a credit reporting system maintaining credit relatedinformation from a plurality of the user's creditors, the methodcomprising: (a) querying the user about a first type of information; (b)determining a correspondence between the user's response and the queryabout the first type of information; (c) if the user sufficientlyresponds to the first query about the first type of information, secondquerying the user about the user's credit related information from thecredit reporting system; (d) determining if the user sufficientlyresponds to the query for credit related information; and (e)determining whether to grant or deny the user access to the on-lineservice based at least in part on the sufficiency of the user's responseto the second query.
 26. The method of claim 25, wherein element (d)further comprises: (i) generating an authenticity certainty score basedupon at least one value stored in a scoring matrix.
 27. The method ofclaim 26, wherein the scoring matrix includes a set of point valuesaccording to the relative degree of significance of the credit relatedinformation.
 28. The method of claim 26, wherein the scoring matrixincludes a set of point values according to the relative degree ofreliability of the credit related information.
 29. The method of claim25, wherein element (d) further comprises: (i) generating anauthenticity certainty score based upon a collective set of valuesassigned for matching a user's response to the first query and formatching a user's response to the second query for credit relatedinformation about the user.
 30. The method of claim 25, wherein element(d) further comprises: (i) generating an authenticity certainty scorebased upon a collective set of values assigned for matching a pluralityof user's responses to a second query for credit related informationabout the user.
 31. The method of claim 25, wherein element (d) furthercomprises: (i) comparing a response pattern of the user to a scoringmatrix with at least one score corresponding to the relative degree ofconfidence in a predetermined user response pattern; and (ii) generatingan authenticity certainty score to determine whether to deny or grantfurther access to the host system service based upon the responsepattern of the user.
 32. The method of claim 25, wherein the creditreporting system comprises a plurality of credit reporting databases.33. The method of claim 25, wherein the host system communicates withthe user system and the credit-reporting system via the Internet.
 34. Anauthentication system for authenticating a user in real-time, whereinthe user attempts to access an on-line service via a remote user system,the authentication system comprising: a host system for hosting theon-line service, the host system configured for: (a) querying the userabout a first type of information; (b) determining a correspondencebetween the user's response and the query about the first type ofinformation; (c) if the user sufficiently responds to the first queryabout the first type of information, second querying the user aboutcredit related information; and (d) accessing credit related informationin a credit reporting system; the credit reporting system configuredfor: (e) communicating credit related information from a plurality of auser's creditors to the host system; and the host system furtherconfigured for: (f) determining if the user sufficiently responds to thesecond query based upon a comparison of a user's response to the secondquery to the credit related information of the user; and (g) determiningwhether to grant or deny the user access to the on-line service based atleast in part on the sufficiency of the user's response to the secondquery.
 35. The system of claim 34, wherein element (f) furthercomprises: (i) generating an authenticity certainty score based upon atleast one value stored in a scoring matrix.
 36. The system of claim 35,wherein the scoring matrix includes a set of point values according tothe relative degree of significance of the credit related information.37. The system of claim 35, wherein the scoring matrix includes a set ofpoint values according to the relative degree of reliability of thecredit related information.
 38. The system of claim 34, wherein element(f) further comprises: (i) generating an authenticity certainty scorebased upon a collective set of values assigned for matching a user'sresponse to the first query and for matching a user's response to thesecond query for credit related information about the user.
 39. Thesystem of claim 34, wherein element (f) further comprises: (i)generating an authenticity certainty score based upon a collective setof values assigned for matching a plurality of user's responses to asecond query for credit related information about the user.
 40. Thesystem of claim 34, wherein element (f) further comprises: (i) comparinga response pattern of the user to a scoring matrix with at least onescore corresponding to the relative degree of confidence in apredetermined user response pattern; and (ii) generating an authenticitycertainty score to determine whether to deny or grant further access tothe host system service based upon the response pattern of the user. 41.The system of claim 34, wherein the credit reporting system comprises aplurality of credit reporting databases.
 42. The system of claim 34,wherein the host system communicates with the user system and thecredit-reporting system via the Internet.